Document containing user email addresses stolen.

After some investigation, the free file-hosting service determined that passwords stolen from other websites had been used to access a "small number" of Dropbox accounts, engineer Aditya Agarwal said on the company blog.

Among those affected was an unnamed Dropbox employee who used the same password on an unspecified website as well as on his Dropbox account, which also contained a "project document with user email addresses," Agarwal wrote.

The unsolicited messages sent to Dropbox users predominantly advertised European gambling websites. Users complained on company forums that they were receiving spam in email accounts that had been specifically created for use with the service.

The company subsequently launched an internal investigation and brought in an outside security team to track down what might have happened.

While the company said on July 21 that it had not received "any reports of unauthorized activity" on Dropbox accounts, two weeks later it confirmed the breach, and urged users to make sure they were using unique passwords across online services.

"The Dropbox incident underlines the necessity of having different passwords for every website," Graham Cluley, senior technology consultant at Sophos, told SC. "

As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."

The fact that the password was siphoned from a third-party source and used against Dropbox shows that password complexity requirements or other policies are "useless and impractical," Jay Heiser, a research vice president at Gartner, wrote on his blog.

"The passwords were stolen outside of Dropbox, so no amount of password complexity on the part of Dropbox could have prevented these incidents," Heiser wrote, adding that more secure authentication methods were necessary to protect users.

Dropbox may be coming around to that view, as Agarwal outlined new security features that will be rolled out to users over the next few weeks, including two-factor authentication, a new page that lists logs of recent user activity and "other automated mechanisms to help identify suspicious identity."

Dropbox will also proactively start prompting users to change their password if the systems detect it hasn't been changed in a while or is commonly used, Agarwal said.

Dropbox did not immediately respond to SCMagazine.com when asked when these features will be rolled out.

Take part in discussions with comments on blogs, news and reviews; receive all the latest industry news directly to your inbox and tailor make your information specifically to your interests. Join now for free.

Please check your email

A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.

If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.